Windows server 2019 shutdown by how?

Marc V 1 Reputation point
2022-08-12T18:25:04.937+00:00

We have some windows 2019 that sometime shudown by "NT AUTHORITY\SYSTEM" with resain "other (planned)". It look like someone shutdown the server at windows prompt by the Imprivata screen (logon screen). So we dont have the user information who done the task. As the user have to go with Dameware or console via VmWare to go on it, is there any where i can look who opened the consol session without login in? I am sure the user isnt goint by VmWare as we are only 5 persons who can go there with and all know what is he doing.

We have been trought the Event Viewer and dont find anything that could lead on sonthing to point on.
We see the event 1074 initialise by the user "NT AUTHORITY\SYSTEM", the Sources is "User32". The Commentary is "OneSign Locked stat shutdown.

Is there sothing that lead ont someone who opened a remote consol session?

The environment of the serveur is: Virtual serveur on Vmware, app installed on this server deployed by Citrix in seamless (no access to desktop). Imprivata for single sign-on . Lot of free RAM, lot of free spaces, CPU running good. We have 5 servers for the same app with citrix. For now we had 3 servers who reboot at some time...

Tx

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
2,399 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
3,224 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Marc V 1 Reputation point
    2022-08-12T18:41:15.017+00:00

    I forgat that dameware isnt install on this server. Could it be the citrix WEM agent that could force a shudown?

  2. Amol Shelar 401 Reputation points
    2022-08-13T18:21:38.277+00:00

    @Marc V ,

    To help you in better way, can you share few more details with us -

    1. Are you using Generic user account (e.g. Administrator) for all the 5 users?
    2. Do you have AD domain environment for Citrix?
    3. How many of you have access to VMWare console?
    4. Have you verified VMWare logs, especially if someone initiated Guest OS reboot?
    5. In all the reboot events, are you getting same event logs?
    6. Have you verified CPU, Memory & IOPS reports?
    7. As a initial step, I would suggest to create user specific accounts & restrict System shutdown access to Administrator only.

    _AmolShelar

    -please don't forget to upvote and Accept as answer if the reply is helpful-

  3. Marc V 1 Reputation point
    2022-08-16T15:28:36.847+00:00

    1 - no. All personnal account
    2- Yep on AD
    3- 3 at that time
    4- Yep all verified
    5 - Yep all the same
    6 - Yes all fine
    7 - We done that on the imprivata option. It look like someone had access to the fistscreen of Imprivata when the app (in seemless) is left alone and go in screensaver. A user could then have acces to the menu to reboot or shutdown the server..... now the user cannot do that. We will see next if it the problem come again.